John Strand// In this webcast John walks through a couple of cool things we’ve found useful in some recent network hunt teams. He also shares some of our techniques and tools (like RITA) that we use all the time to work through massive amounts of data. There are lots of awesome websites that can greatly […]
Beau Bullock, Brian Fehrman, & Derek Banks // Pentesting organizations as your day-to-day job quickly reveals commonalities among environments. Although each test is a bit unique, there’s a typical path to “winning” that present themselves over and over. Expensive, difficult to configure, and cumbersome to maintain tools exist to help prevent and alert on some […]
Derek Banks // I want to expand on our previous blog post on consolidated endpoint event logging and use Windows Event Forwarding and live off the Microsoft land for shipping events to a central location. Why do this? I wanted a Windows-based server with all of the event logs from the environment so that […]
Derek Banks, Beau Bullock & Brian Fehrman // Our clients often ask how they could have detected and prevented the post-exploitation activities we used in their environment to gain elevated privileges and ultimately access sensitive data. Most of the time, this is achieved through credential abuse. As pentesters, the primary condition we take advantage […]
This is the in-studio version of our live in DC event from July. In this webcast, John covers how to set up Active Directory Active Defense (ADAD) using tools in Active Defense Harbinger Distribution (ADHD). He shows how to create honey accounts, create callback word documents, and create fake SMB shares! Slides here: https://www.dropbox.com/s/kyfugi66j56ek8v/HoneyAdmin_AndShare.pptx?dl=0
Kent R. Ickler // How to Configure Distributed Fail2Ban: Actionable Threat Feed Intelligence Fail2Ban is a system that monitors logs and triggers actions based on those logs. While actions can be very customized, the typical use case is monitoring an auth-log for authentication errors and configuring a system to block the offending source IP. Fail2Ban […]
Kent R. Ickler // You’ve heard us before talk about Bro, an IDS for network monitoring and analysis. We’ve had several installs of Bro over time here at BHIS. It’s about time for another build, and I thought it would be a good time to share an example methodology. This post is going to be […]
John Strand // In this webcast John covers how to set up Active Directory Active Defense (ADAD) using tools in Active Defense Harbinger Distribution (ADHD) and talks about potential active defense laws like Active Cyber Defense Certainty (ACDC). He shows how to create honey accounts, create callback word documents, and create fake SMB shares! All […]
Joff Thyer & Derek Banks Editor’s Note: This is a more in-depth write-up based on the webcast which can be watched here. As penetration testers, we often find ourselves in the position of making recommendations for “increasing visibility for endpoints” with respect to event logging. We usually feel great about this, because it is without […]
